FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
dlorente
Staff
Staff
Article Id 345018
Description This article describeshow FortiGate handles SD-WAN traffic based on the Default and Gateway parameters, explaining different routing scenarios and how FortiGate selects the appropriate SD-WAN member depending on the configured criteria. It also outlines the behavior when these parameters are enabled or disabled and the impact on traffic steering.
Scope FortiGate v7.0, v7.2, v7.4 and v7.6
Solution

By default, SD-WAN traffic steers the traffic by applying the following criteria:

 

  1. SD-WAN rules match only when SD-WAN is the best route: An SD-WAN member is selected only if it has a valid route to the destination. Once an SD-WAN rule is matched and evaluated, the system selects an SD-WAN member based on the configured strategy. However, traffic is sent through that member only if it has a valid route to the destination. If no valid route exists, the system will skip to the next available SD-WAN member. ---> Default disabled (by default).
  2. An SD-WAN member is selected only if it has a valid route to the destination: Once an SD-WAN rule is matched and evaluated, the system selects an SD-WAN member based on the configured strategy. However, traffic is sent through that member only if it has a valid route to the destination. If no valid route exists, the system will skip to the next available SD-WAN member. ---> Gateway disabled (by default).

 

Scenario 1:


Drawing1.jpg

  • Client pings 8.8.8.8.
  • SD-WAN member: port4.
  • No SD-WAN members: port1 and port3.
  • Configuration:

 

FGT-1 # diagnose sys sdwan service

Service(1): Address Mode(IPV4) flags=0x200 use-shortcut-sla
Tie break: cfg
Gen(1), TOS(0x0/0x0), Protocol(0: 1->65535), Mode(sla), sla-compare-order
Members(1):
1: Seq_num(3 port1), alive, sla(0x1), gid(0), cfg_order(0), local cost(0), selected
Dst address(1):
0.0.0.0-255.255.255.255

 

FGT-1 # get router info routing-table all

Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP

            O - OSPF, IA - OSPF inter area

            N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

            E1 - OSPF external type 1, E2 - OSPF external type 2

            i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area

            V - BGP VPNv4

            * - candidate default

 

Routing table for VRF=0

S*       0.0.0.0/0 [1/0] via 192.168.1.2, port4, [1/0]

S        8.8.8.8/32 [10/0] via 10.191.31.254, port1, [1/0]

C        10.10.10.0/24 is directly connected, port3

C        10.191.16.0/20 is directly connected, port1

S        100.100.1.0/24 [1/0] via 192.168.1.2, port4, [1/0]

C        192.168.1.0/24 is directly connected, port4

 

Possible cases:

  • When both Default and Gateway are disabled, FortiGate will first check if the best route to the destination is through an SD-WAN member. In this case, since port1 is not part of the SD-WAN, the best route does not belong to an SD-WAN member. As a result, FortiGate will not match the SD-WAN rule and will instead perform a regular routing lookup in the Forwarding Information Base (FIB). Based on the FIB, traffic destined for 8.8.8.8 will be routed through port1, meaning the traffic will ultimately exit through port1.
  • When Default is enabled but Gateway is not, FortiGate behaves slightly differently. In this scenario, FortiGate no longer evaluates whether the best route to the destination is via an SD-WAN member. Instead, it checks if any SD-WAN member can route the traffic. Since port4 is an SD-WAN member with a valid route to the destination, FortiGate verifies the second condition—whether port4 has a valid route to the destination in the FIB. As 0.0.0.0/0 is the default gateway, this condition is met. With both SD-WAN criteria fulfilled, FortiGate directs the traffic through port4 towards ISP2.
  • When both Default and Gateway are enabled, the behavior mirrors the scenario where only Default is enabled. Since port4 is an SD-WAN member, FortiGate matches the SD-WAN rule. In this setup, it does not matter if the best route is through the SD-WAN member. The important factor is that a route to the destination exists in the FIB for any SD-WAN member. The member that forwards the traffic does not need to be the same one that matches the rule. Once the rule is matched, FortiGate prioritizes members based on preference order or the best metric (depending on the configuration), checking from top to bottom for a valid route to the destination. However, since the 'gateway enable' command is active, FortiGate skips this check. It no longer evaluates if there is a valid route to the destination, focusing only on whether the member has a gateway to send traffic to. In this case, port4, being the only SD-WAN member in the rule, will forward the traffic to ISP2. While the outcome is the same as the previous case, the logic behind it differs.
  • When Default is disabled but Gateway is enabled, FortiGate applies its primary rule: checking if the best route to the destination is through an SD-WAN member. Since the best route to the destination is through port1 (which is not part of the SD-WAN), FortiGate will not match the SD-WAN rule and will direct the traffic through port1 based on the FIB.

 

Scenario 2:

 

Drawing2.jpg

 

  • Client pings 8.8.8.8.
  • SD-WAN members: port2 and port4.
  • No SD-WAN members: port1 and port3.
  • Configuration:

 

FGT-1 # diagnose sys sdwan service

Service(1): Address Mode(IPV4) flags=0x200 use-shortcut-sla
Tie break: cfg
Gen(1), TOS(0x0/0x0), Protocol(0: 1->65535), Mode(sla), sla-compare-order
Members(1):
1: Seq_num(3 port1), alive, sla(0x1), gid(0), cfg_order(0), local cost(0), selected
Dst address(1):
0.0.0.0-255.255.255.255

 

FGT-1 # get router info routing-table all

Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP

            O - OSPF, IA - OSPF inter area

            N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

            E1 - OSPF external type 1, E2 - OSPF external type 2

            i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area

            V - BGP VPNv4

            * - candidate default

 

Routing table for VRF=0

S*       0.0.0.0/0 [1/0] via 10.191.47.254, port2, [1/0]

S        8.8.8.8/32 [10/0] via 10.191.31.254, port1, [1/0]

C        10.10.10.0/24 is directly connected, port3

C        10.191.16.0/20 is directly connected, port1

C        10.191.32.0/20 is directly connected, port2

S        100.100.1.0/24 [1/0] via 192.168.1.2, port4, [1/0]

C        192.168.1.0/24 is directly connected, port4

 

Possible cases:

  • When both Default and Gateway are disabled, as explained earlier, FortiGate will first check if the best route to the destination is through an SD-WAN member. Since port1 is not part of the SD-WAN, the same logic applies: the SD-WAN rule will not be matched, and the traffic will be routed via port1 based on the FIB, ultimately exiting through ISP1.

 

  • When Default is enabled but Gateway is not, FortiGate will check if any SD-WAN member has a route to the destination, even if it is not the best route. If this condition is met, FortiGate will match the created SD-WAN rule and then proceed to analyze whether the members of that rule have a valid route to the destination. In this instance, FortiGate will find a possible route to the destination through the SD-WAN member port2, matching the rule in place. However, since the only member in that rule is port4, and it does not have a valid route to the destination, the traffic will be handled according to the implicit SD-WAN rule. This means FortiGate will apply the load-balancing method between the members.

 

  • When both Default and Gateway are enabled, FortiGate will send the traffic without evaluating whether the best route to the destination is SD-WAN, as long as an SD-WAN member has a route to the destination to match the rule. Once this happens, the traffic will be directed to the member with the highest priority or best SLA. In this case, since port2 is an SD-WAN member, the traffic will match the rule, and because the only member in the rule is port4, the traffic will be directed to it regardless of whether it has a valid route to the destination. The traffic will then be routed to port4 towards FGT-2, relying on it to forward the traffic appropriately.

 

  • When Default is disabled but Gateway is enabled, FortiGate will check the best route to the destination and find that this route belongs to port1, which is not an SD-WAN member. As a result, FortiGate will not evaluate the SD-WAN rule, and the traffic will be handled by the FIB. Consequently, the traffic will be directed to ISP1 through port1.

 

In summary, understanding the behavior of the Default and Gateway settings in SD-WAN is essential for optimizing traffic flow and maintaining smooth network performance. With the correct configuration, SD-WAN's features can be fully leveraged, adding both flexibility and reliability to the network. It is crucial to test and verify the setup to ensure everything functions as expected.

 

Related articles:

Technical Tip: Explaining the SD-WAN rule matching process

Technical Tip: Multiple default routes where SD-WAN rules are not preferred